Method and device for making a portal in a computer system secure

ABSTRACT

The present invention presents a device and a method for handling security in a computer system comprising an existing organizational directory. Upon reception of an access request from an entity to a server machine of the system, the device creates or searches in a security directory for security data attached to the entity, without modifying the data of the existing directory.

FIELD OF THE INVENTION

The present invention concerns a method and a device for making a portalin a computer system secure, using but not modifying an existingorganizational directory.

PRIOR ART

The computer systems of entities such as businesses, universities,public administrations, etc., very often include a directory thatdefines physical persons, groups of people, organizational units orother elements belonging to this entity. The directory lists adesignation of said persons, a location, a role within said entityand/or any other characteristics.

More and more, companies wish to make their computer systems secure, andparticularly their employees' use of the Web or of a particular networkof machines to access said system.

The current devices offered for making computer systems secure requirethe existing directory to be modified so that security data can be addedto it. The installation of a security device in a computer system veryoften requires a complete and painstaking analysis of the existingdirectory as well as a redefinition of the users and their organizationin said directory. The installation of the security device is costly interms of both time and money.

Moreover, the modeling of the security influences the configuration ofthe computer system, and particularly the existing directory; reinforcedsecurity mechanisms for the directory itself must be added. The range ofutilization of said directory by the users is consequently reduced.

One problem posed by the present invention relates to the modificationof the existing directory of a computer system during the securing ofsaid system.

One object of the present invention consists of handling the security ofa computer system while maintaining the existing organizationaldirectory of said system.

Another object of the present invention consists of installing asecurity device into a computer system automatically without affectingthe components of the system, i.e., to offer a “plug & play” automaticinstallation solution.

SUMMARY OF THE INVENTION

In this context, the present invention offers a method for making acomputer system comprising at least one client machine and at least oneserver machine secure, wherein an existing organizational directorylists an entity by means of a unique designation, characterized in thatit consists of creating a security directory in which security data arestored and/or, upon reception of a request from an entity via a servermachine, of searching in said security directory for the security datarelated to said request and said entity, using the unique designation ofsaid entity found in the directory.

The present invention also concerns the system for implementing saidmethod, applications of said method, and the program that implementssaid method.

PRESENTATION OF THE FIGURES

Other characteristics and advantages of the invention will become clearin light of the following description, given as an illustrative andnon-limiting example of the present invention, in reference to theattached drawings in which:

FIG. 1 is a schematic view of an embodiment of the system according tothe invention;

FIG. 2 represents an exemplary existing organizational directory of thesystem represented in FIG. 1;

FIG. 3 is a first exemplary arrangement of security data in the systemaccording to the present invention represented in FIG. 1;

FIG. 4 is a second exemplary arrangement of security data in the systemaccording to the present invention represented in FIG. 1.

DESCRIPTION OF AN EMBODIMENT OF THE INVENTION

The computer system can be a system whose environment is distributed orlocal.

As shown in the embodiment of the system according to the inventionillustrated in FIG. 1, the system 1 is distributed and composed ofmachines 2 a, 2 b, 2 c, 2 d, 2 e, 2 f, 2 g, 2 h organized into one ormore networks 3. A machine 2 is a very broad conceptual unit thatincludes both hardware and software. The machines can be very diverse,such as for example workstations, servers, routers, specializedmachines, telephones or gateways between machines. Only the componentsof the machines 2 of the system 1 that are characteristic of the presentinvention will be described, the other components being known to oneskilled in the art.

As shown in FIG. 1, in the present invention, the system 1 is a computersystem comprising at least one machine 2 a called a client machine 4, atleast one security machine 2 b called a security gateway 5, and at leastone machine 2 c called a server machine 6. The security gateway 5 isaccessible via the client 4 and server 6 machines; it is placed betweenthese two machines in order to intercept and process all the requestsissuing from the client machines 4 and addressed to the server machines6.

The system 1 comprises resource machines 2 d called resources 7 that theclient machines 4 wish to access at the request of calling entities 8.The resources 7 are accessible via the server machine 6 and are managedby said machine.

The system 1 includes storage means 9 and means for handling accesses toan organizational directory 10 in which the entities 8 of the system 1are listed and stored. In the embodiment illustrated in FIGS. 1 through3, the storage means 9 comprise a disk in a machine 2 e, the machine 2 ebeing connected to the gateway 5. According to another embodiment, thestorage means 9 comprise a memory in the security gateway 5. In theembodiment illustrated, the calling entities 8 are users (physicalpersons) of the system; the users 8 are arranged in the directory 10based on their geographical location, as shown in FIG. 2. Thus, forexample, the user Marc Dupont is located in Lille, in France.

The gateway 5 accesses the organizational directory 10 using the LDAPprotocol (Lightweight Directory Access Protocol) or any equivalentprotocol. A protocol equivalent to the LDAP protocol is a protocol forwhich the accessed directory has similar characteristics.

The characteristics of the LDAP protocol or an equivalent protocol areas follows:

-   -   the data are stored in storage units;    -   the data are organized so as to be accessible during a creation,        a search, a modification or a deletion;    -   a storage unit is identified in a unique way by means of an        identifier or a name or the like.

In detail, for the example illustrated, the characteristics of adirectory accessed using LDAP are as follows:

-   -   The data are organized hierarchically. “Branches” derive from a        single “root” (France in FIG. 2). Each “node” can have either        other branches, or “leaves.”    -   The unit of storage is called an “LDAP entry” 11. The LDAP entry        11 is either a node or a leaf. In FIG. 2, an LDAP entry 11 is        represented by a rectangle.    -   An LDAP entry is associated with a certain amount of information        that is specific to it; this information is called the        “attributes” of the entry. The directory contains an attribute        identifying each user in a unique way: the unique identifier.        The unique identifier corresponds, in the example illustrated,        to the first letter of the first name joined to the last name of        the user 8: MDupont for Marc Dupont.    -   An entry 11 is unambiguously identified by means of a unique        name called the dn (distinguished name). The dn of Marc Dupont        in FIG. 2 is as follows:        -   Dn=Marc.Dupont/Lille/France    -   The unique name depends on the organization of the directory. If        the organization changes (the subsidiary Lille disappears), the        unique name of the entry concerning, for example, Marc Dupont,        changes:        -   Dn=Marc.Dupont/Paris/France. On the other hand, the unique            identifier of Marc Dupont remains unchanged: MDupont.

The system 1 includes storage means 12 and means for handling access toa security directory 13. In the embodiment illustrated in FIGS. 1through 3, the storage means 12 comprise a disk in a machine 2 f, themachine 2 f being connected to the gateway 5. According to anotherembodiment, the storage means 12 comprise a memory in the securitygateway 5.

According to another embodiment, the storage means 12 correspond to thestorage means 9. The security data are stored on the same physicalmedium as the existing data concerning the entities 8. The security dataare logically separated from the existing data. For example, thesecurity data are all located in a single branch attached to theexisting directory. No matter what physical medium and logical form areused, the data are said to be stored in the security directory 13, itbeing understood that the security directory can take the form of abranch attached to the existing directory on the same physical medium.

The security directory 13 in the embodiment illustrated is accessedusing LDAP.

In the embodiment illustrated in FIG. 3, the information collected inthe security directory 13 is:

-   -   one or more pieces of information for mapping between addresses        on the Web, called URLs (Uniform Resource Locators), requested        by the user, and URLs protected by the security gateway 5; the        purpose of the mapping information is to hide the real internal        URLs of the server machines from the client machines. The        adjectives internal and external qualify the position of a        machine relative to the gateway 5. Upstream from the gateway 5,        no security device is present and the machines are external        (outside the security device). Downstream from the gateway 5,        the machines 2 are protected by the gateway 5, which intercepts        and handles the security of external requests coming from        external machines; the components of the system are qualified as        internal. For example, as shown in FIG. 3, the mapping        information indicates that the requested URL        “http://www.portal.com/supp” corresponds to the protected URL        “http://www.portal.supp.com/”. The address        “http://www.portal.com/” is the URL of the security gateway 5;        the requests from the user 8 are directed to the gateway 5,        whereas the user thinks he is connected to the server “supp” of        the support application. The URL of the server machine contains        the URL of the gateway 5, but the user 8 is not aware of this.        By typing the URL “http:// www.portal.com/supp”, the user        believes he is connecting directly to the server machine “supp”        that handles the support application, whereas in fact, he is        connecting to the gateway having the URL        “http://www.portal.com/”.    -   a URL collection or collections: in the example illustrated, the        URL collections indicate, through appropriate link attributes,        the existence of an access control list for the application        whose URL is protected. In the example described, the URL        collections are clearly defined: URLs in the same collection are        characterized by a regular expression. For example (FIG. 3), all        of the URLs characterized by the regular expression        “http://www.portal.supp.com/documents/licenses/*”, in which “*”        represents one or more characters of any type, are part of the        same collection. The protected URL “http://www.portal.supp.com/        documents/licenses/” is part of said collection. URLs in the        same collection have the same access rights to applications.        Again in the example described, the entry corresponding to the        collection “http://www.portal.supp.com/documents/licenses/*”        comprises a link attribute to the support application, the        support application comprising a link attribute to the access        control list for this application. there is an access control        list for the support application.    -   an access control list or lists: the access control lists (ACLs        in FIGS. 3 and 4) stored in the storage means 12 indicate access        rights of users 8 to server machines 6. In the embodiment        illustrated, the access control list comprises a list of        identifiers and dn's of users 8 or dn's of groups.    -   An account base for applications: the accounts store identifiers        and user dn's as well as login names and passwords specific to        the users 8 for accessing the applications in question. One        entry per application is created. In each application, there is        an entry containing the necessary information in the form of a        list of attributes.    -   and/or any other information required to implement security.

In the example illustrated in FIG. 2, users 8 having similar privilegesare gathered into groups.

A privilege is a security attribute of a user 8 that makes it possibleto control the latter's access to a server machine 6. For example (FIG.2), a user such as Adrien Loc is assigned the privilege “group-resa”, aprivilege that authorizes him to access the reservation application.

The system 1 includes a management machine 2 b called a user managementconsole 14, which makes it possible to enter, modify, delete, and searchfor the users and the groups to which they belong, and a managementmachine 2 h called a security management console 15, which makes itpossible to enter, modify, delete, and search for the data in thesecurity directory 13.

According to a particular embodiment of the system according to theinvention, the machines 2 belong to the Web. The client machine 2 aincludes a piece of browser software 15 through which the user 8 sendshis requests to a site on the Web. The entry point to a set of givensites is called a portal. The portal provides a page on the web on whichthe owner of the site organizes and presents the information on saidsite in a customized way. A page on the Web (commonly called a Web pagein computer literature) is a electronic document such as, for example, atext file, an image, or a video into which special codes (the tags) havebeen inserted, which control the structure, the appearance, the dynamicbehavior, etc., of the page in software for navigating on the Web(commonly called Web browsers in computer literature). A Web browser isa piece of software used to present a document to a user, and to keeptrack of the relationships established between this document and otherdocuments by means of Web links.

The gateway 5 secures the portals of the sites of the server machines 6by intercepting and processing the requests coming from the clientmachines 4.

The method according to the present invention proceeds in the followingway in the computer system illustrated in FIGS. 1 through 4. It shouldbe noted that the method can be used in any other system.

The first step consists of creating the security directory 13 in thecomputer system 1.

The mapping information, the information related to the collections ofprotected URLs and the access control lists (ACLs) are entered directlyby an administrator user 8 a from the security management console 15.The gateway 5 searches in the organizational directory 10 for theidentifier and the dn of the user 8 in question, which are necessary forarranging the security data in the security directory.

In the example illustrated in FIG. 2, the administrator 8 a enters fromthe security management console 15 the following data:

-   -   the mapping between the external URL        “http://www.portal.com/supp” and the protected internal URL        “http://www.portal.supp.com/” as well as the mapping between the        external URL “<<http://www.portal.com/resa” and the protected        internal URL “http://www.portal.resa.com/”.    -   the URL collection characterized by the expression        “http://www.portal.supp.comIdocuments/licenses*” is the one        characterized by the expression        “http://www.portal.resa.com/reservation/launch/”. Each of these        URL collections has a link attribute to an access control list.    -   an access control list for the support application and one for        the reservation application.

When the user 8 wants to subscribe to a given application, he sends theserver machine 6 that manages said application an account creationrequest. The security gateway 5 intercepts said account creation requestfor the application in question. The security gateway 5 transmits to theclient machine 4 a page dedicated to the opening of an account for theapplication in question. The user enters the information requested onsaid page and sends the completed page back to the server machine 6 towhich the user wants to connect. The security gateway 5 intercepts saidresponse, extracts the information entered by the user 8 and adds it tothe security directory 13. To do this, it begins by searching for theuser 8 in the organizational directory 10, and more particularly for hisidentifier and his distinguished name (dn). It creates an LDAP entry 11in the directory 13 corresponding to the application in the branch ofaccount bases, and an entry in the branch of accounts createdcorresponding to the user 8. The entry 11 of the user 8 includes thefollowing attributes:

-   -   the unique identifier of the user (“MDupont” in the example of        FIG. 3);    -   the unique dn of the user (Marc.Dupont/Lille/France);    -   the login name (Dupont) and the password (tipiti) required to        access the application in question.

The security directory 13 is created partly during its installation andpartly during the running of the system 1.

The security gateway 5 intercepts a request from a user 8 for access toa protected URL. The gateway 5 verifies that the user 8 has beenauthenticated using the method described in the patent applicationentitled “METHOD AND DEVICE FOR HANDLING AN AUTHENTICATION IN ACOMMUNICATION USING HTTP,” filed by the present Applicant on the sameday as the present application.

If the user 8 has not yet been authenticated, the security gateway 5requests authorization of the user 8 from the client machine 2 a. Theclient machine 2 a presents an authentication window to the user 8. Theuser fills in said window, specifically indicating his identifier andthe information required to form a distinguished name. The informationentered is sent back to the gateway 5.

When the user has been authenticated, the security gateway 5 searches inthe organizational directory 10 for the authenticated user 8, and moreparticularly for his unique identifier and his distinguished name.

Requests for access to a URL indicate, depending on the client machines4, the identifier or the dn of the user 8. The use of both designationsby the present device makes it possible to process all of the requestscoming from client machines.

The gateway 5 verifies whether the user 8 is part of a group in theorganizational directory. The gateway 5 extracts from the organizationaldirectory 10 the unique identifier, the distinguished name of the user 8and the name of one or more groups to which the user 8 may belong,called the groups of the user 8.

For example, if Adrien Loc wants to connect to the reservationapplication, the gateway 5 extracts from the directory 10 the identifierALoc, the dn Adrien.Loc/Paris/France, and the group group-resa.

The gateway 5 searches in the security directory 13 for the mappinginformation attached to the URL requested by the user.

If the mapping information does not exist in the directory 13, thegateway 5 returns an error to the client machine 4: the URL does notexist.

If the mapping information is present in the directory 13, the gateway 5retrieves the corresponding protected internal URL.

The gateway 5 searches in the security directory 13 to see whether theinternal URL retrieved is part of a collection of URLs protected by anaccess control list.

If this is not the case, the machine 2 b considers access to the URL tobe open and transmits the request for access to the internal URLretrieved.

If the internal URL retrieved is part of a collection of protected URLs,the gateway 5 consults the link attribute to an access control list. Thegateway verifies that the user 8, or one or more of the user's groups,belongs to the access control list for the application in question. Asseen above, the gateway has retrieved from the organizational directory10 the identifier and the dn of the user 8 as well as the dn of theuser's group or groups. The gateway searches for the user's identifierand dn or for the dn of the user's group or his various groups, if anyexist, in the access control list of the application in question.

In the example of FIGS. 2 through 4, the gateway retrieves from thedirectory 13 of FIG. 3 the user Marc Dupont and the group group-resa ofthe user Adrien Loc, if Marc or Adrien have sent requests for access tothe support and reservation applications, respectively, from a clientmachine 4. The gateway 5 deduces that Marc has the right to access thesupport application, and that Adrien has the right to access thereservation application, subject to an account for said applications.

If the search is unsuccessful, i.e. if neither the identifier nor the dnof the user, nor the dn of a group of the user, has been found in theaccess control list, the gateway 5 deduces that access is denied: anaccess denied response is immediately transmitted to the user 8 on themachine 2 a.

If the gateway finds the user's identifier or dn, or the dn of the groupor the various groups of the user 8 in the access control list, thegateway 5 proceeds with the processing of the request by analyzing theaccount of the user 8, or of the group to which he belongs, for theapplication in question. The gateway 5 searches in the account base forthe branch corresponding to the application whose URL is protected; ifthere is an account for this application, the gateway 5 searches in saidaccount for the unique identifier or the distinguished name of the userretrieved from the organizational directory.

If the machine 2 b finds the unique identifier or the distinguished namein the branch of the application in question, it extracts from thesecurity directory 13 the login name and the password required to accesssaid application.

If the machine does not find any direct account for the user, itsearches for an account listed under the name of a group of the user. Ifsuch an account is found, the machine extracts from the securitydirectory 13 the login name and password required to access saidapplication (in the name of the group).

In the example of FIG. 3, when Marc Dupont requests access to thesupport application, the gateway 5 extracts from the directory 13 thelogin name Dupont and the password Tipiti. In the example of FIG. 4, noaccount has been provided for the group group-resa or for Adrien Loc.

The gateway transmits the login name and the password of the user 8 inquestion to the server machine 6 whose URL is protected, followed by therequest from said user. The server machine 6 receives the user's loginname and password and authorizes his access. The gateway 5 performs a“Single Sign On”, i.e. a single connection procedure for a set ofapplications; the user is authenticated only once; his login names andpasswords are not required with each access to an application. Thegateway stores the login names and passwords per application for theuser 8.

The present invention therefore offers a device and a method forhandling security in a computer system 1 comprising an existingorganizational directory 10, making it possible, upon reception of arequest from an entity 8 for access to a server machine 6 of the system1, to create or search in a security directory 13 for security dataattached to said entity 8 without having to modify the existing data inthe directory 10.

Hence, the present invention concerns a method for securing a system 1comprising at least one client machine 4 and at least one server machine6, wherein an existing organizational directory 10 lists an entity 8 bymeans of a unique designation, characterized in that it consists ofcreating a security directory 13 in which security data are storedand/or, upon reception of a request from an entity via a server machine6, of searching in said security directory 13 for the security datarelated to said request and said entity 8, using the unique designationof said entity 8 found in the directory 10.

The method uses as the unique designation an identifier and adistinguished name.

The method consists of intercepting, by means of the gateway 5, all ofthe requests addressed to the server machine by the client machine, bysending requests to a URL of the server machine that contains the URL ofthe gateway.

The security data comprise:

-   -   at least one piece of information for mapping between a URL        requested by the entity 8 and a protected URL, and/or    -   at least one URL collection, and/or    -   at least one access control list, and/or    -   at least one account for an application.

The method consists of searching in the security directory 13 formapping information for the request in question, of returning an errorto the client machine 4 if the mapping information does not exist, andof processing the request using the protected URL or performing searchesfor other security data if the mapping information exists.

The method consists of searching in the security directory 13 to see ifthere is an access control list attached to the application involved inthis request, of considering access to the application to be open if noaccess control list is found, of searching for the entity 4 or for agroup to which it belongs in the list found and denying access to theapplication if the entity and/or the group is absent from the list, andof processing the request or performing other searches for security dataif the entity and/or the group is present in the list found.

The method consists of searching in the security directory 13 for anaccount for the application involved in said request in the name of theentity 4 or of a group to which it belongs, of authorizing access tosaid application and considering it to be anonymous if no account isfound, and of processing the request with the security data of theaccount found or performing other searches for security data if anaccount is found.

The present invention also concerns a device for securing a system 1comprising at least one client machine 4 and at least one server machine6, wherein an existing organizational directory 10 lists an entity 8 bymeans of a unique designation, characterized in that it comprises amachine 2 and a security directory 13 in storage means 12, the machine 2making it possible to create, modify, delete or search in the securitydirectory 13 for security data, using as the security data attached tothe entity 8 the unique designation found in the directory 10.

The machine 2 is a security gateway 5 placed between the client machine4 and the server machine 6 that intercepts all of the requests addressedto the server machine by the client machine, the client machine sendingrequests to a URL of the server machine that contains the URL of thegateway.

The device includes a security management console 15 for entering,modifying, deleting, or searching for all or some of the security datain the directory 13.

The present invention applies to the securing of a portal, the machine 2a including a piece of browser software through which the entity 8 sendsrequests to said portal. The present invention also applies to a singlesign-on procedure.

The present invention relates to a program integrated into a machine 2of a computer system 1 implementing the method according to the presentinvention.

While this invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, the preferred embodiments of the invention as set forthherein, are intended to be illustrative, not limiting. Various changesmay be made without departing from the true spirit and full scope of theinvention as set forth herein and defined in the claims.

1. A method for making secure a computer system having at least oneclient machine, at least one server machine, and an existingorganizational directory, the method comprising: listing entities in theorganizational directory using unique designations, creating a securitydirectory in which modifiable security data are stored, the securitydata including information for mapping and further comprising at leastone access control list for an application, upon receipt of a requestfrom an entity, searching in said security directory using the uniquedesignation of said entity in the directory to obtain security datarelated to the request from the entity, wherein the searching in saidsecurity directory further comprises searching in the security directoryfor an access control list related to the application involved in therequest, considering access to said application to be open if no accesscontrol list is found, searching for an entity or for a group to whichthe entity belongs if the access control list is found, denying accessto the application if the entity and/or the group is absent from theaccess control list, and based on the security data, processing therequest or performing other searches for security data if the entityand/or the group is present in the found list.
 2. The method accordingto claim 1, further comprising: using as the unique designation anidentifier and a distinguished name.
 3. The method according to claim 1,further comprising: intercepting all requests addressed to the servermachine from the client machine using a gateway, and sending requests toa URL of the server machine that contains the URL of the gateway.
 4. Themethod according to claim 2, further comprising: intercepting allrequests addressed to the server machine from the client machine using agateway, and sending requests to a URL of the server machine thatcontains the URL of the gateway.
 5. The method according to claim 1,wherein the security data comprise at least one piece of information formapping between a URL requested by the entity and a protected URL. 6.The method according to claim 1, wherein the security data comprise atleast one URL collection.
 7. The method according to claim 1, whereinthe security data comprise at least one account for an application. 8.The method according to claim 1, wherein the security data comprise atleast one piece of information for mapping between a URL requested by anentity and a protected URL and further including at least one URLcollection.
 9. The method according to claim 1, wherein the informationfor mapping includes at least one piece of information for mappingbetween a URL requested by, the entity and a protected URL, and whereinthe security data further comprise at least one URL collection, at leastone account for an application.
 10. The method according to claim 8,further comprising: searching in the security directory for mappinginformation for the request by the entity, returning an error to theclient machine if the mapping information does not exist, and processingthe request using the protected URL or performing searches for othersecurity data if the mapping information exists.
 11. The methodaccording to claim 9, further comprising: searching in the securitydirectory for an account for the application involved in said request inthe name of the entity or of a group to which the entity belongs,authorizing access to said application, considering the request to beanonymous if no account is found, and processing the request with thesecurity data if the account is found.
 12. The method according to claim10, further comprising: searching in the security directory for anaccount for the application involved in said request in the name of theentity or of a group to which the entity belongs, authorizing access tosaid application, considering the request to be anonymous if no accountis found, and processing the request with the security data if theaccount is found.
 13. The method according to claim 1, furthercomprising: searching in the security directory for an account for theapplication involved in said request in the name of the entity or of agroup to which the entity belongs, authorizing access to saidapplication, considering the request to be anonymous if no account isfound, and processing the request with the security data if the accountis found.
 14. A security device for making a computer system secure,wherein the computer system includes at least one client machine and atleast one server machine, wherein an existing organizational directoryin the computer system lists an entity by means of a unique designation,the security device comprising: a gateway interconnected between theserver machine and client machine; and a memory connected to thegateway, said memory having a security directory and being configured tocreate, modify, delete, or search, based on receipt of a request from anentity, in the security directory for modifiable security data, themodifiable security data attached to the entity having the uniquedesignation in the organizational directory, the security data includinginformation for mapping and further comprising at least one accesscontrol list for an application, and the security data being utilized toprocess the request, wherein the memory is further configured to searchin the security directory for an access control list related to theapplication involved in the request, consider access to said applicationto be open if no access control list is found, search for an entity orfor a group to which the entity belongs if the access control list isfound, deny access to the application if the entity and/or the group isabsent from the access control list, and process the request or performother searches for security data if the entity and/or the group ispresent in the found list.
 15. The security device according to claim14, wherein the gateway is interconnected between the client machine andthe server machine and is configured to intercept all requests addressedto the server machine by the client machine, the client machine sendingrequests to a URL of the server machine that contains the URL of thegateway.
 16. The security device according to claim 14, furtherincluding: a security management console connected to the gateway forentering, modifying, deleting, or searching for all or some of thesecurity data in the security directory.
 17. The security deviceaccording to claim 15, further including: a security management consoleconnected to the gateway for entering, modifying, deleting, or searchingfor all or some of the security data in the security directory.
 18. Themethod for making secure a computer system according to claim 1, whereinsaid step of searching, upon receipt of the request from the entity,further comprises receiving said request using a browser.
 19. The methodfor making secure a computer system according to claim 1, furthercomprising: controlling access using a single sign-on procedure.
 20. Acomputer-readable storage medium encoded with a sequence of programmedinstructions that, when executed by a computer, cause the computer toperform a method for making a computer system secure, the computersystem having at least one client computer, at least one servercomputer, and an existing organizational directory, the methodcomprising: listing entities in the organizational directory usingunique designations, creating a security directory in which modifiablesecurity data are stored, the security data including information formapping and further comprising at least one access control list for anapplication, upon receipt of a request from an entity, searching in saidsecurity directory using the unique designation of said entity in thedirectory to obtain security data related to the request from theentity, wherein the searching in said security directory furthercomprises searching in the security directory for an control listrelated to the application involved in the request, considering accessto said application to be open if no access control list is found,searching for an entity or for a group to which the entity belongs ifthe access control list is found, denying access to the application ifthe entity and/or the group is absent from the access control list, andbased on the security data, processing the request or performing othersearches for security data if the entity and/or the group is present inthe found list.
 21. The computer-readable storage medium of claim 20,further comprising: using as the unique designation an identifier and adistinguished name.
 22. The computer-readable storage medium of claim20, further comprising: intercepting all requests addressed to theserver machine from the client machine using a gateway, and sendingrequests to a URL of the server machine that contains the URL of thegateway.